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Foreword 



rd , 



This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

X the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 



This Technical Specification has been produced by the 3GPP TSG SA to allow for the standardisation in the area of 
lawful interception of telecommunications. This document describes in general the architecture and functions for lawful 
interception. Laws of individual nations and regional institutions (e.g. European Union), and sometimes licensing and 
operating conditions define a need to intercept telecommunications traffic and related information in modern 
telecommunications systems. It has to be noted that lawful interception shall always be done in accordance with the 
applicable national or regional laws and technical regulations. 
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Scope 



The present document describes the architecture and functional requirements within a Third Generation Mobile 
Communication System (3GPP MS). 

The specification shows the service requirements from a Law Enforcement point of view only. The aim of this 
document is to define a 3GPP MS interception system that supports a number of regional interception regulations, but 
these regulations are not repeated here as they vary. Regional interception requirements shall be met in using specific 
(regional) mediation functions allowing only required information to be transported. 



References 



The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[1] ETR 331: "Definition of User Requirements for Lawful Interception of Telecommunications 

Requirements of the Law Enforcement Agencies". 

[2] ES 201 158: "Lawful Interception; Requirements for network functions". 

[3] ES 201 671: "Handover Interface for the lawful interception of telecommunications traffic". 

[4] GSM 01.33: "Lawful Interception requirements for GSM". 

[5] GSM 02.33: "Lawful Interception - stage 1". 

[6] GSM 03.33: "Lawful Interception - stage 2". 

[7] 3G TS 33. 106: "3GPP Lawful Interception Requirements". 

[8] J-STD-25: "Interim Standard, Lawfully Authorised Electronic Surveillance". 
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Definitions, symbols and abbreviations 



3.1 



Definitions 



For the purposes of the present document, the following terms and definitions apply. 

Network Based Interception: Interception that is invoked at a network access point regardless of Target Identity. 

Subject Based Interception: Interception that is invoked using a specific Target Identity 

Target Identity: A technical identity that uniquely identifies a target of interception. One target may have one or 
several identities. 

Interception Area: is a subset of the network service area comprised of a set of cells which defines a geographical 
zone. 

Location Dependent Interception: is interception of a target mobile within a network service area that is restricted to 
one or several Interception Areas (lA). 



3.2 



Abbreviations 



For the purposes of the present document, the following abbreviations apply: 

3GPP MS 3rd Generation Mobile Communication System 

3G GGSN 3rd Generation Gateway GPRS Support Node 

3G GSN 3rd Generation GPRS Support Node (GGSN/SGSN) 

3G MSC 3rd Generation Mobile Switching Center 

3G SGSN 3rd Generation Serving GPRS Support Node 

3G UMSC 3rd Generation Unified Mobile Switching Centre 

ADMF Administration Function 

CC Content of Communication 

DF Delivery Function 

ECT Explicit Call Transfer 

GPRS General Packet Radio Service 

HI Handover Interface 

lA Interception Area 

ICEs Intercepting Control Elements (3G MSC Server, 3G GMSC Server, P-CSCF, S-CSCF, SGSN, 

GGSN) 

INEs Intercepting Network Elements (,3G MSC Server, 3G GMSC Server, P-CSCF, S-CSCF, SGSN, 

GGSN, MGW) 

IP Internet Protocol 

IRI Intercept Related Information 

LDI Location Dependent Interception 

LEA Law Enforcement Agency 

LEMF Law Enforcement Monitoring Facility 

RA Routing Area 

RAI Routing Area Identitiy 

SAI Service Area Identity 



4 Functional architecture 

The following figures contain the reference configuration for the lawful interception. The circuit-switched configuration 
is shown in figure la. The packet-switched configuration is shown in figure lb. The various entities and interfaces are 
described in more detail in the succeeding subclauses. 



£75/ 



3GPP TS 33.107 version 5.6.0 Release 5 



ETSI TS 133 107 V5.6.0 (2003-09) 



LEMF 



HI1 



Mediation 
Function 



ADMF 



X1 2 



HI2 



X1 3 



Mediation 
Function 



Delivery 
Function 2 



HIS 



X1 1 



X2 



Mediation 
Function 



Delivery 
Function 3 
Signaling 



Mediation 
Function 



Delivery 
Function 3 
Bearer 



X3 



MSC Server/ 
GMSC Server 



Mc 



MGW 



Figure 1a: Circuit switched intercept configuration 
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Figure lb: Pacl<et Switched Intercept configuration 
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Figure 1c: HLR Intercept configuration 

The reference configuration is only a logical representation of the entities involved in lawful interception and does not 
mandate separate physical entities. This allows for higher levels of integration. 

Regional Mediation Functions, which may be transparent or part of the administration and delivery functions, are used 
to convert information on the HIl, HI2 and HI3 interfaces in the format described in various national or regional 
specifications. For example, if ES 201 671 or J-STD-25 is used, then the adaptation to HIl, HI2 and HI3 will be as 
defined in those specifications. 

DF3 is responsible two primary functions: 

Call Control (Signaling) for the intercepted product; and 

Bearer Transport for the intercepted product. 

HI3 is the interface towards the LEMF. It must be able to handle the signalling and the bearer transport for the 
intercepted product. LEMF can be located within the 3G network or can be in any other network. 

There is one Administration Function (ADMF) in the network. Together with the delivery functions it is used to hide 
from the 3G ICEs that there might be multiple activations by different Law Enforcement Agencies (LEAs) on the same 
target. The administration function may be partitioned to ensure separation of the provisioning data from different 
agencies. 

The HI2 and HI3-interfaces represent the interfaces between the LEA and two delivery functions. The delivery 
functions are used: 

to distribute the Intercept Related Information (IRI) to the relevant LEA(s) via HI2 (based on lAs, if defined); 

to distribute the Content of Communication (CC) to the relevant LEA(s) via HI3 (based on lAs, if defined). 
See the remaining sections of this document for definitions of the Xl_l, Xl_2, Xl_3, X2 and X3 interfaces. 
Interception at the Gateways is a national option. 



5 Activation, deactivation and interrogation 

Figure 2 is an extraction from the reference intercept configuration shown in figure 1 which is relevant for activation, 
deactivation and interrogation of the lawful interception. 
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Figure 2: Functional model for Lawful Interception activation, deactivation and interrogation 

In addition to the typical 3G ICEs functional entities, a new functional entity is introduced - the ADMF - the Lawful 
Interception administration function. The ADMF: 

interfaces with all the LEAs that may require interception in the intercepting network; 

keeps the intercept activities of individual LEAs separate; 

interfaces to the intercepting network. 

Every physical 3G ICE is linked by its own Xl_l -interface to the ADMF. Consequently, every single 3G ICE performs 
interception (activation, deactivation, interrogation as well as invocation) independently from other 3G ICEs. The HIl- 
interface represents the interface between the requester of the lawful interception and the Lawful administration 
function; it is included for completeness, but is beyond the scope of standardisation in this document. 

The target identities for 3GPP MS CS and GPRS interception at the SGSN, GGSN, 3G MSC Server and 3G GMSC 
Server can be at least one of the following: IMSI, MSISDN or IMEI. 

The target identity for multi-media is the SIP URL at the CSCF. Other identities are for further study. 

In case of location dependent interception the following network/national options exist: 

target location versus Interception Areas (lAs) check in the 3G ICEs and Delivery Functions (DFs); 

target location versus lAs check in the DFs (physical collocation of the DFs to the 3G ICEs may be required by 
national law). 

NOTE 1 : The lA is previously defined by a set of cells. From the location of the target this set of cells permits to 
find the relevant lA. 

NOTE 2: It is not required that the 3G GMSC or the 3G GGSN are used for interception when Location Dependent 
Interception is invoked and the location of the target is not available. 

Location dependent intercept at the CSCF is for further study. 

Location dependent intercept for the 3G MSC Server and SSGN is for further study. 

The ADMF shall be able to provision P-CSCFs independently from S-CSCFs. If both P-CSCFs and S-CSCFs are 
administered within the network for intercept, redundant multi-media IRJ may be presented to the agency as a result. 



5.1 



Activation 



Figures 3,4 and 5 show the information flow for the activation of Lawful Interception. 

5.1.1 XI _1 -interface 

The messages sent from the ADMF to the 3G ICEs (Xl_l-interface) contain the: 
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- target identities (MSISDN, IMSI, IMEI or SIP URL) (see note 4); 

information whether the Content of Communication (CC) shall be provided (see note 1); 

address of Delivery Function 2 (DF2) for the intercept related information (see note 2); 

address of Delivery Function 3 (DF3) for the intercepted content of communications (see note 3); 

lA in case of location dependent interception. 

NOTE 1 : As an option, the filtering whether intercept product and/or intercept related information has to be 

provided can be part of the delivery functions. (Note that intercept product options do not apply at the 
CSCF). If the option is used, the corresponding information can be omitted on the Xl_l-interface, while 
"information not present" means "intercept product and related information has to be provided" for 
thelCE. Furthermore the delivery function which is not requested has to be "pseudo-activated", in order to 
prevent error cases at invocation. 

NOTE 2: As an option, only a single DF2 is used by and known to every 3G ICE. In this case the address of DF2 
can be omitted. 

NOTE 3: As an option, only a single DF3 is used by and known to every 3G ICE (except at the CSCFs). In this 
case the address of DF3 can be omitted. 

NOTE 4: Since the IMEI is not available, interception of IMEI is not applicable at the 3G Gateway. 

NOTE 5: Interception at the CSCFs is based only upon SIP URL. However, SIP URL as a target identity is not 
supported the other ICEs. 

If after activation subsequently Content of Communications (CC) or Intercept Related Information (IRI) has to be 
activated (or deactivated) an "activation change request" with the same identity of the target is to be sent. 
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interception activation 














... activation of delivery 
functions ... 










lawful interception 
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response for lawful 


lawful interception 
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Figure 3: Information flow on X1_1 -interface for Lawful Interception activation 

Interception of a target can be activated on request from different LEAs and each LEA may request interception via a 
different identity. In this case, each target identity on which to intercept will need to be sent via separate activation 
messages from ADMF to the 3G ICEs on the Xl_l -interface. Each activation can be for IRI only, or both CC and IRI. 

When several LEAs request activation on the same identity then the ADMF determines that there are existing 
activations on the identity. In this case, the ADMF may (as an implementation option) send an additional activation 
message to the 3G ICEs. When the activation needs to change from IRI only to CC and IRI an activation change 
message will be sent to the 3G ICEs. 

In case of a secondary interception activation only the relevant LEAs will get the relevant IRIs. 
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5.1.2 X1_2-interface (IRI) 



For the activation of IRI the message sent from the ADMF to the DP contains: 

the target identity; 

the address for delivery of IRI (= LEMF address); 

which subset of information shall be delivered; 

a DF2 activation identity, which uniquely identifies the activation for DF2 and is used for further interrogation or 
deactivation, respectively; 

the lA in case of location dependent interception; 

the warrant reference number if required by national option. 

If a target is intercepted for several LEAs and/or several identities simultaneously, a single activation of delivery is 
necessary for each combination of LEA and identity. 
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interception activation 



response for lawful 
interception activation 



lawful interception 
activation 



lawful interception 
activation ack 



activation on X1 3 



activation on X1 1 



Figure 4: Information flow on X1_2-interface for Lawful Interception activation 



5.1.3 X1_3-interface (CC) 



For the activation of intercepted Content of Communications the message sent from the ADMF to the Delivery 
Function contains: 

the target identity; 

the address of delivery for CC (= LEMF address); 

a DF3 activation identity, which uniquely identifies the activation for DF3 and is used for further interrogation or 
deactivation, respectively; 

the lA in case of location dependent interception; 

the warrant reference number if required by national option. 

If a target is intercepted by several LEAs and/or several identities simultaneously, a single activation of delivery is 
necessary for each combination of LEA and identity. 
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5.2 



Figure 5: Information flow on X1_3-interface for Lawful Interception activation 



Deactivation 



Figures 6,7 and 8 show the information flow for the deactivation of the Lawful interception. 

5.2.1 X1_1 -interface 

The messages sent from the ADMF to the 3G ICEs for deactivation contain: 
the target identity; 
the possible relevant lAs in case of location dependent interception. 
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Figure 6: Information flow on X1_1 -interface for Lawful Interception deactivation 

If interception of a target has been activated via different identities then a separate deactivation message will need to be 
sent from the ADMF to the 3G ICEs for each identity. 

When several LEAs requested activation on the same identity and subsequently request deactivation then the ADMF 
determines that there are remaining activations on the identity. In this case, the ADMF will not send a deactivation 
message to the 3G ICEs except when the activation needs to change from CC and IRl to IRl only. In that case an 
activation change message will be sent to the 3G ICEs. 
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5.2.2 X1_2-interface (IRI) 



The messages sent from the ADMF to Delivery Function 2 for the deactivation of the Intercept Related Information 
contain: 

a DF2 activation id, which uniquely identifies the activation to be deactivated for DF2. 

If a target is intercepted by several LEAs and/or several identities simultaneously, a single deactivation is necessary for 
each combination of LEA and identity. 
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Figure 7: Information flow on X1_2-interface for Lawful Interception deactivation 

5.2.3 X1_3-interface (CC) 

For the deactivating the delivery of the CC the messages from the ADMF to DF3 contain: 

a DF3 activation id, which uniquely identifies the activation to be deactivated for DF3. 
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Figure 8: Information flow on X1_3-interface for Lawful Interception deactivation 



5.3 Interrogation 



Interrogation provides the current status of the interception activation in the system. Interrogation of all activations for a 
given LEA is an ADMF function. 
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5.3.1 Interrogation of the 3G ICEs 



Figure 9 shows the information flow for the interrogation of the Lawful Interception. It shall be possible to interrogate 

a specific activation at each relevant 3G ICEs; 

all activations at each relevant 3G ICEs. 
As result of the interrogation the activation status and data are returned. 
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Figure 9: Interrogation of the Lawful Interception (3G ICEs) 



5.3.2 Interrogation of Delivery Functions 



Figure 10 shows the information flow for the interrogation of the Lawful Interception. It shall be possible to interrogate: 

a specific activation at a DF; 

all activations at a DF for a given target identity; 

all activations at a DF. 
As result of the interrogation the activation status and data are returned. 
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Figure 10: Interrogation of the Lawful Interception (Delivery Functions) 
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6 Invocation of Lawful Interception for Circuit Switched 

Services 

Figure 1 1 shows an extraction from the reference configuration in figure 1 which is relevant for the invocation of the 
lawful interception. 
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Figure 11: Functional model for Lawful Interception invocation 

The HI2 and HI3 interfaces represent the interfaces between the LEMF and two delivery functions. Both interfaces are 
subject to national requirements. They are included for completeness, but are beyond the scope of standardization in this 
document. The delivery functions are used: 

to convert the information on the X2-interface to the corresponding information on the HI2-interface; 

to convert the information on the X3-interface to the corresponding information on the HI3-interface; 

to distribute the intercept related information to the relevant LEA(s) (based on lAs, if defined); 

to distribute the intercept product to the relevant LEA(s) (based on lAs, if defined). 

In case a call is selected based on several identities (MSISDN, IMSI, IMEI) of the same target, the 3G MSC will deliver 
CC and IRI only once to the DF2 and DF3. DF2 and DF3 will then distribute the information to the relevant LEA that 
requested interception on a particular target identity. 

For the delivery of the CC and IRI, the 3G MSC Server provides a correlation number and target identity to the DF2 
and DF3 which is used there in order to select the different LEAs to which the product shall be delivered. 

NOTE: If interception has been activated for both parties of the call both CC and IRI will be delivered for each 
party as separate intercept activity. 

The Mc interface between the 3G MSC Server and MGW is used to establish intercept and deliver the bearer to DF3. 

For Location Dependent Interception, the location dependency check occurs at the establishment of each call. 
Subsequent dependency checks for simultaneous calls are not required, but can be a national option. 

If a target is marked using an lA in the 3G MSC Server, the 3G MSC Server shall perform a location dependency check 
at call set-up. Only if the target's location matches the lA then the call is intercepted. 

If a target is marked using an lA in the DF2, the DF2 shall perform a location dependency check at reception of the first 
IRI for the call. Only if the target's location matches the lA for certain LEAs is IRI the relayed to these LEAs. All 
subsequent IRIs for the call are sent to the same LEAs. 

If a target is marked using an I A in the DF3, the DF3 signalling function shall perform a location dependency check at 
reception of the CC. Only if the target's location matches the lA for certain LEAs is the CC relayed to these LEAs. 
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6.1 Provision of Intercept CC - Circuit Switched 

Figure 12 shows the access method for the delivering of CC. The access method shall be a bridged/ T-connection. 
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Figure 12: Delivery configuration to the LEMF for the interception of a circuit switched call 

The signals of both parties of the configuration to be intercepted are delivered separately to the LEMF. The delivery 
function has no impact on the connection between the subscribers. 

The two stublines towards the LEMF are established in parallel to the call set up. For both stublines the address is used 
which has been provided during activation. 

Bearer, and only bearer, is sent from the MGW to the bearer function of DF3. 

NOTE: For data calls it is necessary to provide means for fast call establishment towards the LEMF to help 
ensure that the beginning of the data transmission is delivered. 

The following information needs to be transferred from the 3G MSC Server (to be confirmed by SA WG3 LI group) to 
the DF3 in order to allow the DF3 to perform its functionality: 

- target identity (MSISDN, IMSl or IMEl); note 1 

the target location (if available) or the lAs in case of location dependent interception, note 1 

correlation number (IRl <-> CC); 

direction indication - (Signal from target or signal to target). 

NOTE 1 : For DF3 internal use only. 

Additional information may be provided if required by national laws. 

6.2 Provision of CC - Short IVIessage Service 

Figure 14 shows an SMS transfer from the 3G MSC Server to the LEMF. Quasi-parallel to the delivery from / to the 
mobile subscriber a message, which contains the contents of the SMS with the header, is generated and sent via the 
Delivery Function 2 to the LEMF in the same way as the Intercept Related Information. 

The IRI will be delivered to the LEMF: 

for a SMS-MO. Dependent on national requirements, delivery shall occur either when the 3G MSC receives the 
SMS from the target MS, or when the 3G MSC receives notification that the SMS-Centre successfully received 
the SMS; 
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for a SMS-MT. Dependent on national requirements, delivery shall occur either when the 3G MSC receives the 
SMS from the SMSC, or when the 3G MSC receives notification that the target MS sucessfrilly received the 
SMS. 
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Figure 14: Provision of Content of Communication - Short lUlessage Service 

6.3 Provision of Intercept Related Information 

Intercept Related Information (Events) are necessary at the Begin and End of the call, for all supplementary services 
during a call and for information which is not call associated. There are call related events and non call related events. 

Figure 15 shows the transfer of intercept related information to the DF2. If an event for / from a mobile subscriber 
occurs, the 3G MSC Server sends the relevant data to the DF2. 
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Figure 15: Provision of Intercept Related Information 

6.3.1 X2-interface 

The following information needs to be transferred from the 3G MSC Server to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity (MSISDN, IMSI or IMEI); 

in case of location dependent interception, the lAs and/or target cell ID shall be provided. 

events and associated parameters as defined in subclauses 6.3.3 and 6.3.4 may be provided. 

The IRI should be sent to DF2 with a reliable transport mechanism. 
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6.3.2 Structure of the events 

The information sent to DF2 is triggered by up to eight different call related and non-call related events. Details are 
described in following subclause. The events for interception are configurable (if they are sent to DF2) in the 3G MSC 
Server and can be suppressed in the DF2. The events are listed as follows: 

Call Related Events: 

Call Establishment 
Answer 
Supplementary Service 

- Handover 

- Release 

Non Call Related Events: 

- SMS 

- Location Update 

Subscriber Controlled Input 

Table 1 below shows the set of information that is used to generate the events. The events transmit the information from 
the 3G MSC Server to DF2. This set of information can be extended in the 3G MSC Server, if this is necessary in a 
specific country. DF2 can extend this information if this is necessary in a specific country e.g. a unique number for each 
surveillance warrant. 
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Table 1 : Information Elements for Circuit Event records 



Observed MSISDN 

Target Identifier with the MSISDN of the target subscriber (monitored subscriber). 



Observed I MS I 

Target Identifier with the IMSI of the target subscriber (monitored subscriber) 



Observed IMEI 

Target Identifier with the IMEI of the target subscriber (monitored subscriber), 
It shall be checl<ed for each call over the radio interface 



event type 

Description which type of event is delivered: Establishment, Answer, Supplementary service, 
Handover, Release, SMS, Location update. Subscriber controlled input 



event date 

Date of the event generation in the 3G MSC Server 



event time 

Time of the event generation in the 3G MSC Server 



dialled number 

Dialled phone number before digit modification, IN-modification etc. 



Connected number 

Number of the answering party 



other party address 

Directory number of the other party for MOC 
Calling party for MTC 



call direction 

Information if the monitored subscriber is calling or called e.g. MOC/MTC or originating/ terminating 
In or/out 



Correlation number 

Unique number for each call sent to the DF, to help the LEA, to have a correlation between each 
Call and the IRI 



Network Element Identifier 

Unique identifier for the element reporting the ICE. 



Location Information 

Location information is the service area identity and/or location area identity that is present at the 3G MSC 
Server at the time of event record production 



basic service 

Information about Tele service or bearer service. 



Supplementary service 

Supplementary services used by the target e.g. CF, CW, ECT 



Forwarded to number 

Forwarded to number at CF 



call release reason 

Call release reason of the target call 



SMS initiator 

SMS indicator whether the SMS is MO, MT, or undefined 



SMS Message 

The SMS content with header which is sent with the SMS-service 



Redirecting number 

The number which invokes the call forwarding towards the target. This is provided if available. 



SCI 

Non call related Subscriber Controlled Input (SCI) which the 3G MSC Server receives from the ME 



£75/ 



3GPP TS 33.107 version 5.6.0 Release 5 



22 



ETSI TS 133 107 V5.6.0 (2003-09) 



6.3.3 Call Related events 



6.3.3.1 



Call establishment 



For call establishment a call establishment-event is generated. This event is generated at the begining of a call when the 
3G MSC Server attempts to reach the subscriber. This information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed I MS I 



Observed IMEI 



event type 



event date 



event time 



dialled number 



other party address 



call direction 



Correlation number 



Redirecting number 



Network Element Identifier 



Location Information 



basic service 



Supplementary service 



6.3.3.2 Answer 

If the called party answers, an answer- event is generated. This information will be delivered to the DF2 if available: 
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event type 



event date 



event time 



dialled number 



other party address 



Connected party 



call direction 



Correlation number 



Redirecting number 



Network Element Identifier 



Location Information 



basic service 



Supplementary service 
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6.3.3.3 



Supplementary Services 



For supplementary services events are generated with the information which supplementary service is used e.g. Call 
Forwarding (CF), Call Waiting (CW), Explicit Call Transfer (ECT), Multi Party (MPTY), Call Hold and information 
correlated to the service like the forwarded to number. This information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed I MS I 



Observed IMEI 



event type 



event date 



event time 



dialled number 



other party address 



call direction 



Correlation number 



Network Element Identifier 



Location Information 



basic service 



Supplementary service 



Forwarded to number 



6.3.3.4 



Handover 



For each handover that is realised at the 3G MSC Server due to a change in target location information, a handover- 
event with the new location information is generated. This information will be delivered to the DF2 if available: 



Observed IVISISDN 



Observed I MS I 



Observed IMEI 



event type 



event date 



event time 



Correlation number 



Network Element Identifier 



Location Information 



6.3.3.5 



Release 



For the release or failed attempt of a target call, a release event with the following information is generated. This 
information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed I MS I 



Observed IMEI 



event type 



event date 



event time 



dialled number 



other party address 



call direction 



Correlation number 



Network Element Identifier 



Location Information 



basic service 



call release reason 
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6.3.4 Non Call Related events 



6.3.4.1 



SMS 



For MO-SMS the event is generated in the 3G MSC Server. Dependent on national requirements, event generation shall 
occur either when the 3G MSC Server receives the SMS from the target MS or when the 3G MSC Server receives 
notification that the SMSC successfully receives the SMS; for MT-SMS the event is generated in the 3G MSC Server. 
Dependent on national requirements, event generation shall occur either when the 3G MSC Server receives the SMS 
from the SMSC or when the 3G MSC Server receives notification that the target MS successfully received the message. 
This information will be delivered to the DF2 if available: 



Observed MSISDN 



Observed I MS I 



event type 



event date 



event time 



Network Element Identifier 



Location Information 



SIVIS initiator 



SIVIS Message 



6.3.4.2 



Location update 



For location updates a Location update-event is generated, with the new location information. This information will be 
delivered to the DF2 if available: 



Observed MSISDN 



observed IMSI 



event type 



event date 



event time 



Network Element Identifier 



Location Information 



6.3.4.3 



Subscriber Controlled Input (SCI) 



SCI includes subscriber initiated changes in service activation and deactivation. SCI does not include any information 
available in the CC. For subscriber controlled inputs - a SCI-event is generated with information about the SCI. This 
information will be delivered to the DF2 if available: 



observed MSISDN 



observed IMSI 



event type 



event date 



event time 



Network Element Identifier 



Location Information 
SCI 
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6.4 Intercept cases for circuit switched supplementary services 
6.4.1 Interception of Multiparty call 
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Figure 16: Interception of lUlultiparty for CO 

Figure 16 shows the delivery of CC from intercepted multiparty call where party A is the target of interception. 

One pair of call content channels are delivered to the delivery function. Party A is delivered to the DF3 on one channel 
and the sum of the balance of the parties, B,C and D is delivered on the second channel. 

It should be noted that if parties B,C or D is a target of interception, that intercept is treated as a simple call intercept. 

The events contain information about B, C and D if subscriber A is monitored. If one of B, C or D is monitored, events 
contain the information about A but not the other parties of the conference. 

6.4.2 Interception for Call Forwarding / Call Deflection / ECT 
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Figure 17: Interception for Call Forwarding / Deflection / ECT 

The interception of party B once the supplementary service is invoked is a national option. 
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For Intercept Related Information it depends who is monitored: 

If subscriber A is monitored the number of A and B are mandatory in the event information and the number of C 
if available. 

If subscriber B is monitored the number of B and C are mandatory in the event information and the number of A 
if available. 

If subscriber C is monitored the number of C is mandatory in the event information and the number of A and B if 
available. 

Intercept requirements for CS multi-media is for further study. 



7 Invocation of Lawful Interception for GSN Packet 

Data services 

Figure shows the extract from the reference configuration which is relevant for the invocation of the Lawful 
Interception of the packet data GSN network. 
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Figure 18: Functional model for Packet Data GSN Network Lawful Interception invocation 

The HI2 and HI3 interfaces represent the interfaces between the LEA and two delivery functions. Both interfaces are 
subject to national requirements. They are included for completeness, but are beyond the scope of this specification. 
The delivery functions are used: 

to convert the information on the X2-interface to the corresponding information on the HI2 interface; 

to distribute the intercept related information to the relevant LEA(s); 

to distribute the intercept product to the relevant LEA(s). 

In case a Packet Data communication is selected based on several identities (MSISDN, IMSI, IMEI, ) of the same 
target, the 3G SGSN and/or, per national option 3G GGSN will deliver CC and IRI only once to the DF2 and DF3. 
DF2 and DF3 will then distribute the information to the relevant LEAs. 

For the delivery of the CC and IRI the 3G SGSN and/or, per national option 3G GGSN provides correlation number 
and target identity to the DF2 and DF3 which is used there in order to select the different LEAs where the product shall 
be delivered. 

The correlation number is unique in the whole PLMN and is used to correlate CC with IRI and the different IRI's of one 
PDF context. 

The correlation number shall be generated by using existing parameters related to the PDF context. 

NOTE: If interception has been activated for both parties of the Packet Data communication both CC and IRI will 
be delivered for each party as separate intercept activity. 

In case of location dependent interception: 

for each target, the location dependency check occurs at each Packet Data session establishment or release and at 
each Routing Area (RA) update to determine permanently the relevant lAs (and deduce, the possible LEAs 
within these lAs), 
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concerning the IRI: 

when an lA is left, a Mobile Station Detach event is sent when changing servicing 3 G GSNs or a RA update 
event is sent when changing lAs inside the same servicing 3G SGSN to DF2; 

when a new lA is entered a RA update event is sent to DF2 and, optionally, a "Start of interception with PDF 
context active" event for each PDP context; 

concerning the CC, when crossing lAs, the CC is not sent anymore to the DF3 of the old lA but sent to the DF3 
of the new lA. 

Both in case of location dependent and location independent interception: 

"Start of interception with PDP context active" event is sent by the new SGSN if an Inter-SGSN RA update procedure 
, which involves different PLMNs, takes place for a target, which has at least one active PDP context. 

NOTE: An SGSN can differentiate "Inter PLMN" type of Inter-SGSN RA update procedure from "Intra PLMN" 
type of Inter-SGSN RA update procedure by inspecting the old RAI parameter, which is being received 
by the SGSN as part of the procedure (see 3GPP TS 23.060, section 6.9.1.2.2 and 3GPP TS 23.003, 
section 4.2). 

Optionally, it is possible to send "Start of interception with PDP context active" for all cases of inter- SGSN RA update 
when at least one PDP context is active. 

7.1 Provision of Intercept Product - Short IVIessage Service 

Figure 19 shows an SMS transfer from the 3G SGSN node to the LEA. Quasi-parallel to the delivery from / to the 
mobile subscriber a message, which contains the content and header of the SMS, is generated and sent via the Delivery 
Function 2 to the LEA in the same way as the Intercept Related Information. 

The IRI will be delivered to the LEA: 

for a SMS-MO. Dependent on national requirements, delivery shall occur either when the 3G SGSN receives the 
SMS from the target MS or when the 3G SGSN receives notification that the SMS-Centre successfully received 
the SMS; 

for a SMS-MT. Dependent on national requirements, delivery shall occur either when the 3G SGSN receives the 
SMS from the SMS-Centre or when the 3G SGSN receives notification that the target MS successfully received 
the SMS. 
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Figure 19: Provision of Intercept Product - Short Message Service 
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7.2 Provision of Intercepted Content of Communications - 
Packet data GSN services 

The access method for the delivering of Packet Data GSN Intercept Product is based on dupHcation of packets without 
modification at 3G GSN. The dupHcated packets with additional information in the header, as described in the 
following sections, are sent to DF3 for further delivery via a tunnel. 
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Figure 20: Configuration for interception of Pacltet Data GSN product data 

7.2.1 X3-interface 

In addition to the intercepted content of communications, the following information needs to be transferred from the 3G 
GSN to the DF3 in order to allow the DF3 to perform its functionality: 

target identity; 

correlation number; 

time stamp - optional; 

direction (indicates whether T-PDU is MO or MT) - optional; 

the target location (if available) or the lAs in case of location dependent interception. 

As a national option, in the case where the 3G GGSN is performing interception of the content of communications, the 
intercept subject is handed off to another SGSN and the same 3G GGSN continues to handle the content of 
communications subject to roaming agreements, the 3G GGSN shall continue to perform the interception of the content 
of communication. 

7.3 Provision of Intercept Related Information 

Intercept Related Information (Events) are necessary at the Mobile Station Attach, Mobile Station Detach, PDP Context 
Activation, Start of intercept with PDP context active, PDP Context Deactivation, RA update. Serving System and SMS 
events. 

Serving System event reporting is a national option. 

Figure 21 shows the transfer of intercept related information to the DF2. If an event for / from a mobile subscriber 
occurs, the 3G GSN or the Home Location Register (HLR) sends the relevant data to the DF2. 

See section 7A for multi-media Intercept Related Information produced at the CSCF. 
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Figure 21 : Provision of Intercept Related Information 

7.3.1 X2-interface 

The following information needs to be transferred from the 3G GSN or the HLR to the DF2 in order to allow a DF2 to 
perform its functionality: 

- target identity (MSISDN, IMSI, IMEI); 

events and associated parameters as defined in section 7.3.2 and 7.4 may be provided; 
the target location (if available) or the lAs in case of location dependent interception; 
Correlation number; 
Quality of Service (QoS) identifier. 
The IRI should be sent to DF2 using a reliable transport mechanism. 

7.3.2 Structure of the events 

There are eight different events in which the information is sent to the DF2 if this is required. Details are described in 
the following section. The events for interception are configurable (if they are sent to DF2) in the 3G GSN or the HLR 
and can be suppressed in the DF2. 

The following events are applicable to 3G SGSN: 

- Mobile Station Attach; 

- Mobile Station Detach; 
PDF context activation; 

Start of intercept with PDF context active; 
PDF context modification; 
PDF context deactivation; 

- RA update; 

- SMS. 

NOTE: 3G GGSN interception is a national option. Location information may not be available in this case. 
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The following events are applicable to the 3G GGSN: 

PDP context activation; 

PDP context modification; 

PDP context deactivation; 

Start of interception with PDP context active. 

The following events are appUcable to the HLR: 

Roaming. 

A set of fields as shown below is used to generate the events. The events transmit the information from 3G GSN or 
HLR to DF2. This set of fields as shown below can be extended in the 3G GSN or HLR, if this is necessary as a 
national option. DF2 can extend this information if this is necessary as a national option e.g. a unique number for each 
surveillance warrant. 
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Table 2: Information Events for Packet Data Event Records 



Observed MSISDN 

MSISDN of the target subscriber (monitored subscriber). 



Observed I MS I 

IIVISI of tlie target subscriber (monitored subscriber). 



Observed IMEI 

IIVIEI of tlie target subscriber (monitored subscriber) Jt shall be checl<ed for each activation over the radio interface. 



Event type 

Description which type of event is delivered: MS attach, MS detach, PDP context activation, Start of intercept with 

PDP context active, PDP context deactivation, SMS, Serving System, Cell and/or RA update. 



Event date 

Date of the event generation in the 3G GSN or the HLR. 



Event time 

Time of the event generation in the 3G GSN or the HLR. Timestamp shall be generated relative to GSN or HLR 

internal clock. 



PDP address 

The PDP address of the target subscriber. Note that this address might be dynamic. 



Access Point Name 

The APN of the access point. (Typically the GGSN of the other party). 



Location Information 

Location Information Is the Service Area Identity (SAI), RAI and/or location area identity that is present at the GSN at 

the time of event record production. 



Old Location Information 

Location Information of the subscriber before Routing Area Update 



PDP Type 

The used PDP type. 



Correlation Number 

The correlation number is used to correlate CC and IRI. 



SMS 

The SMS content with header which is sent with the SMS-servlce. The header also includes the SMS-Centre 

address. 



Network Element IdentlflerUnique identifier for the element reporting the ICE. 



Failed attach reason 

Reason for failed attach of the target subscriber. 



Failed context activation reason 

Reason for failed context activation of the target subscriber. 



lAs 

The observed Interception Areas. 



Session Initiator 

The initiator of the PDP context activation, deactivation or modification request either the network or the 3G MS. 



Initiator 

SMS indicator whether the SMS is MO or MT. 



Deactivation / termination cause 

The termination cause of the PDP context. 



OoS 

This field indicates the Quality of Service associated with the PDP Context procedure. 



Serving System Address 

Information about the serving system (e.g. serving SGSN number or serving SGSN address). 
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7.4 



Packet Data related events 



7.4.1 



Mobile Station Attach 



For attach an attach-event is generated. When an attach activation is generated from the mobile to servicing 3G G SN 
this event is generated. These fields will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



Failed attach reason 



lAs (if applicable) 



7.4.2 Mobile Station Detach 

For detach a detach-event is generated, this is for the common (end) detach. These fields will be delivered to the DF2 if 
available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 



7.4.3 Packet Data PDP context activation 

For PDP context activation a PDP context activation-event is generated. When a PDP context activation is generated 
from the mobile to 3G GSN this event is generated. These fields will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access Point Name 



PDP Type 



Network Element Identifier 



Location Information 



Failed context activation reason 



lAs (if applicable) 



Session Initiator (optional] 



OoS (optional) 
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7.4.4 Start of interception witin PDP context active 

This event will be generated if interception for a target is started and if the target has at least one PDP context active. If 
more then one PDP context are open for each of them an event record is generated. These fields will be delivered to the 
DF2 if available: 



Observed MSISDN 



Observed I MS I 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access Point Name 



PDP Type 



Network Element Identifier 



Location Information 



Old Location Information (optional) 



lAs (if applicable) 



OoS (optional) 



Presence of the optional Old Location Information field indicates that PDP context was already active, and being 
intercepted. However, the absence of this information does not imply that interception has not started in the old location 
SGSN for an active PDP context. 

7.4.5 Pacl^et Data PDP context deactivation 

At PDP context deactivation a PDP context deactivation-event is generated. These fields will be delivered to the DF2 if 
available: 



Observed MSISDN 



Observed IMS! 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access point name 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Deactivation cause 



7.4.6 RA update 



For each RA update an update-event with the fields about the new location is generated. These fields will be delivered 
to the DF2 if available: 



Observed MSISDN 



Observed I MS I 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



lAs (if applicable) 
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7.4.7 SMS 

For MO-SMS the event is generated in the 3G SGSN. Dependent on national requirements, event generation shall occur 
either when the 3G SGSN receives the SMS from the target MS or when the 3G SGSN receives notification that the 
SMS-Centre successfully receives the SMS; for MT-SMS the event is generated in the 3G SGSN. Dependent on 
national requirements, event generation shall occur either when the 3G SGSN receives the SMS from the SMS-Centre 
or when the 3G SGSN receives notification that the target MS successfully received the message. This fields will be 
delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Location Information 



SIVIS 



Initiator 



lAs (if applicable) 



7.4.8 Packet Data PDP context modification 

This event will be generated if interception for a target is started and if the target has at least one PDP context active. 
These fields will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



PDP address of observed party 



Event Type 



Event Time 



Event Date 



Correlation number 



Access Point Name 



PDP Type 



Network Element Identifier 



Location Information 



lAs (if applicable) 



Session Initiator 



OoS 



7.4.9 Serving System 



The Serving System report event is generated at the HLR, when the HLR has detected that the intercept subject has 
roamed. The fields will be delivered to the DF2 if available: 



Observed MSISDN 



Observed IMSI 



Observed IMEI 



Event Type 



Event Time 



Event Date 



Network Element Identifier 



Serving System Address 
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7.5 



Void 



7A Invocation of Lawful Interception for Packet Data 
IVIulti-media Service 

7A.1 Provision of content of communications 

Interception of the content of communications for GSN packet data services is explained in section 7.2. No additional 
content of communications intercept requirements are identified, (to be confirmed pending completion of multi-media 
stage 2 specifications) Activation and invocation of multi-media service does not produce interception of content of 
communications, which must be intercepted at the GSN under a separate activation and invocation. 

7A.2 Provision of IRI 

SIP messaging is reported as Intercept Related Information for the interception of multi-media service. As shown in 
figure 22 below, all SIP messages executed on behalf of a target subscriber are subject to intercept at the P CSCF and S 
CSCF. Based upon network configuration, the ADMF shall provision P CSCFs, or S CSCFs, or both P CSCFs and S 
CSCFs with SIP URL target identifiers. These resulting intercepted SIP messages shall be sent to DF2 for mediation 
prior to transmittal across the HI2 interface. 
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Figure 22: Provision of Intercept Related Information for multi-media 

7A.3 IVIulti-media events 

All SIP messages to or from a targeted subscriber, and all SIP messages executed on behalf of a targeted 
subscriber for multi-media session control are intercepted by the P CSCF and S CSCF and sent to DF2. The 
target identifier used to trigger the intercept will also be sent with the SIP message. P CSCF event reports may be 
redundant with S CSCF event reports when the P CSCF and S CSCF reside in the same network, however, this 
standard does not require nor prohibit redundant information from being reported to DF2. 

The IRI should be sent to DF2 with a reliable transport mechanism. 

The reporting of location information for the sake of location dependent intercept is for further study. 
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The use of a correlation ID for SIP to bearer correlation is a topic for further study. 
An intercepted SIP event sent to DF2 is shown below: 
- Observed SIP URL 

Event Time and Date 

Network element identifier 

SIP Message Header 

SIP Message Payload 

7A.4 Multi-media Call State Control Service Scenarios 

Annex C shows examples of the delivery of intercepted events and product under various call scenarios. 



8 Security 



The security requirements are valid for the whole Lawful Interception system, i.e. rules and procedures shall be used for 
all involved entities, 3G GSN and the DF. 



8.1 Administration security 



The administration of the LI function, i.e. Activation, Deactivation and Interrogation of Lawful Interception, in the 
3G ICEs and the DFs shall be done securely as described below: 

It shall be possible to configure the authorised user access within the serving network to Activate, Deactivate and 
Interrogate Lawful Interception separately for every physical or logical port at the 3G ICEs and DF. It shall be 
possible to password protect user access. 

Only the ADMF is allowed to have access to the LI functionality in the 3G ICEs and DF. 

- The communication links between ADMF, 3G GSN,3G MSC Server, CSCF, DF2, and DF3 may be required by 
national option to support security mechanisms. Options for security mechanisms include: 

- CUG / VPN; 

- COLP; 

- CLIP; 

- authentication; 

- encryption. 

Through the use of user access restrictions, no unauthorised network entities or remote equipment shall be able to view 
or manipulate LI data in the 3G GSN, 3G MSC Server, CSCF or the DFs. 
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8.2 IRI security 

8.2.1 Normal operation 

The transmission of the IRI shall be done in a secure manner. 

When DFs are physically separate from the 3G ICEs, the X2 -interface may be required by national option to support 
security mechanisms. Options for security mechanisms include: 

- CUG/VPN; 

- COLP; 

- CLIP; 
authentication; 
encryption. 

8.2.2 Communication failure 

Depending on the national law in case of communication failure IRI may be buffered in the 3G INEs. After successful 
transmission of IRI the whole buffer shall be deleted. It shall be possible to delete the content buffer via command or a 
timer, in an unrestoreable fashion. 

8.3 CC security 

The transmission of the CC shall be done in a secure manner. 

When DFs are physically separate from the 3G INEs, the X3-interface may be required by national option to support 
security mechanisms. Options for security mechanisms include: 

- CUG/VPN; 

- COLP; 

- CLIP; 
authentication; 
encryption. 

In case of transmission failure no buffering is required within the intercepting network. 

8.4 Security aspects of Lawful Interception billing 

Billing information may be suppressed or made available at the DFs and the ADMF. Billing information for Lawful 
Interception shall be separated from "regular" billing data. 

Billing data transmission to the Lawful Interception billing system may be done in a secure manner per national option. 

In case of transmission failure billing-data shall be buffered/stored in a secure way. After successful transmission billing 
data shall be deleted in an unrestorable fashion. 

8.5 Other security issues 
8.5.1 Log files 

Log files shall be generated by the ADMF, DF2, DF3, 3G MSC Server, CSCF and the 3G GSN. All log files are 
retrievable by the ADMF, and are maintained by the ADMF in a secure manner. 



£75/ 



3GPP TS 33.1 07 version 5.6.0 Release 5 38 ETSI TS 1 33 1 07 V5.6.0 (2003-09) 



8.5.2 Data consistency 



The administration function in the 3GPP MS shall be capable to perform a periodic consistency check to ensure that the 
target list of target identities in all involved 3G MSC Servers, CSCFs, 3G GSNs in the 3GPP MS and the DFs contain 
the appropriate target Ids consistent with the intercept orders in the ADMF. The reference data base is the ADMF data 
base. 
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Annex A (informative): 

Information flows for Lawful Interception invocation of circuit 

switched services 

The following figures show the information flows for the invocation of Lawful Interception for various types of calls. 
The figures show some of the basic signalling messages of the target calls and the events on the X2 and X3-interfaces. 
The call control messages to and from the network are shown for informational purposes only; some of them may not 
be sent or may be combined in certain networks. The handling of the bearers for the basic calls is not shown. The bearer 
points are established in a manner to minimise content loss without delaying the call to the target subscriber. The bearer 
establishment to agency will be in parallel or immediately following the bearer establishment to the target subscriber. 
The flows portray both forward and backward bearer establishment and release to the agency. 



A.1 Mobile originated circuit switched calls 

Figure A. 1 shows the interception of a basic mobile originated circuit switched speech or data call where the originating 
mobile (A) is the target for interception. B is not necessarily also a mobile subscriber and resides on a different 
exchange. 
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Figure A.1 : Interception of mobile originated circuit switched calls 

In figure A. 1 the result (answer) of the set-up of the stublines is not shown. This assumes no special action is taken in 
case of failure. 
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A.2 Mobile terminated circuit switched calls 

Figure A.2 shows the interception of a basic mobile terminated circuit switched speech or data call where the 
terminating mobile (B) is the target for interception. A is not necessarily also a mobile subscriber and resides on a 
different exchange. 
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Figure A.2: Interception of mobile terminated circuit switched calls 
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A.3 Call hold / call waiting 



Figures A.3 and A.4 show the interception of calls involving call hold / call waiting. Figm-e A.3 covers the case where 
one stubline or one pair of stublines is used per target, figure A.4 covers the case where a separate stubline or pair of 
stublines is used for each target call. The mobile that receives the waiting call (A) is the target for interception. 
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Figure A.3: Interception of call hold / call waiting - stublines per target 



ETSI 



3GPP TS 33.107 version 5.6.0 Release 5 



42 



ETSI TS 133 107 V5.6.0 (2003-09) 



DF2 



DF3 DF3 

Bearer Signaling 



stub 



ines' contain CC 



Prepare Bearer Establishment/ 
Establish Bearer 



Call Estiblishment Attempt{C<\, CWAIT) 



S ippl. Service(AB, CHOLD) 



stubl nes" contain CC of CA 



Release Bearer/F elease Resourc« 



stubl nes' contain CC 



MS A MSC Server MGW 

SETUP(AB) 



Answer(AB) 



ofAB 



setup 



of stublines" 



Bearer Establishment 



Answer(CA) 



release 



Bearer 



Release(CA) 



Sjppl. Service(AB, CRITR) 



ofAB 



Release(AB) 



... setup and intenpeption of AB 
A1 ... 



SETUP(CA) 



ALERTING(CA) 



HOLD(AB) 



HOLD ACK(AB) 



CONNECT(CA) 



DISCONNECT(CA) 
^ ► 



of stublines" 
Release 



RETRIEVE(AB) 



RETRIEVE ACK(AB) 



DISCONNECT(AB) 

N ► 



call as in figure 



Establish 

Prepare Bearer 

► 



Bearer/ 
Establishment 



REL 



... release of AB c|all and interception as in 
figure A1 ... 



lAM 



ACM 



CPG(alert) 



ANM 



REL 



Release Resource/ Release Bearer 



Figure A.4: Interception of call hold / call waiting - stublines per target call 
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A.4 Multiparty calls 



Figures A.5 and A.6 show the interception of multiparty calls. Figure A.5 covers the case where one stubline or one pair 
of stublines is used per target, figure A.6 covers the case where a separate stubline or pair of stublines is used for each 
target call. The mobile setting up the multiparty call (A) is the target for interception. 
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Figure A.5: Interception of multiparty calls - stublines per target 
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Figure A.6: Interception of multiparty calls - stublines per target call 
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A.5 Call forwarding / call deflection 

The following pictures show the information flows for the interception of forwarded calls. Information flows will be 
given for three typical cases of call forwarding. All other types of call forwarding / call deflection are intercepted 
similar to one of these. 



A.5.1 Unconditional call forwarding 



Figure A.7 shows the interception of unconditionally forwarded calls. The mobile that activated unconditional call 
forwarding (B) is the target for interception. In this case interception will be performed at the 3G GMSC, where the 
Service Request Indicator (SRI) request for B is issued and subsequently the SRI response indicating that the call shall 
be forwarded is received. 
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Figure A.7: Interception of unconditional call forwarding 



A. 5. 2 Call forwarding on not reachable (IMSI detached) 

Call forwarding on not reachable because the IMSI is detached is also handled on the 3G GMSC. Interception of this 
type of call forwarding is similar to interception of unconditional call forwarding. 
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A. 5. 3 Call forwarding on busy (network determined) 

Figure A.8 shows the interception of call forwarding on busy (network determined). The mobile that activated call 
forwarding on busy (B) is the target for interception. In this case interception will be performed at the 3G MSC where B 
resides, where the busy condition is detected and the call is forwarded. 
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Figure A.8: Interception of call forwarding on busy (network determined) 
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A. 5. 4 Call forwarding on not reachable (no response to 
paging/radio channel failure) 

Call forwarding on not reachable because of no response to paging or radio channel failure is also handled on the 
3G MSC similar to call forwarding on busy (network determined). Interception of this type of call forwarding is 
therefore done in the same way. (see section A.5.3) 

A. 5. 5 Call forwarding on no reply 

Figure A.9 shows the interception of call forwarding on no reply. The mobile that activated call forwarding on no reply 
(B) is the target for interception. In this case interception will be performed at the 3G MSC where B resides, where the 
no reply condition is detected and the call is forwarded. Initially, the interception is similar to the interception of a basic 
mobile terminated circuit switched speech of data call. On no reply time-out, the interception will continue on the 
forwarded call to C. 
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Figure A.9: Interception of call forwarding on no reply 

In figure A.9 the release of the stubhnes is done after the forwarded call is released by A or C. It is a national option not 
to support interception of forwarded calls. In that case, the release of the stublines is done after the call is forwarded and 
B is no longer involved. 

A. 5. 6 Call forwarding on busy (user determined)/call deflection 

Call forwarding on busy (user determined) and call deflection are also handled on the 3G MSC similar to call 
forwarding on no reply. Interception of this type of call forwarding is therefore done in the same way. (see A5.5) 
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A. 5. 7 Call waiting / call forwarding on no reply 

Figures A. 10 and A. 1 1 show the interception of a call involving both call waiting and call forwarding on no reply. 
Figure A. 10 covers the case where one stubline or one pair of stublines is used per target, figure A. 11 covers the case 
where a separate stubline or pair of stublines is used for each target call. The mobile that activated call forwarding on no 
reply and receives the waiting call (B) is the target for interception. In figure A.IO a new (pair of) stublines needs to be 
set up when the call is forwarded since the first (pair of) stublines is still used for the initial call. 
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Figure A.10: Interception of call waiting / call forwarding on no reply - stublines per target 
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Figure A.11 : Interception of call waiting / call forwarding on no reply - stublines per target call 
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A.6 Explicit call transfer 



Figures A. 12 and A. 13 show the interception of explicit call transfer. Figure A. 12 covers the case where one pair of 
stublines is used per target, figure A. 13 covers the case where a separate pair of stubUnes is used for each target call. 
The mobile transferring the call (B) is the target for interception. 
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Figure A.12: Interception of explicit call transfer - stublines per target 
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Figure A.13: Interception of explicit call transfer - stublines per target call 

In figures A. 12 and A.13 the release of the stublines is done after the transferred call is released by A or C. It is a 
national option not to support interception of transferred calls. In that case, the release of the stublines is done after the 
call is transferred and B is no longer involved. 



ETSI 



3GPP TS 33.107 version 5.6.0 Release 5 



55 



ETSI TS 133 107 V5.6.0 (2003-09) 



Annex B (informative): 

Information flows for Lawful Interception invocation of GSN 

Packet Data services 

The following figures show the information flows for the invocation of Lawful Interception for Packet Data and typical 
scenarios. The figures show some of the basic signalling messages of the target Packet Data communication and the 
events on the X2 and X3 interfaces. The dotted lines indicate signalling depending on whether CC and/or IRI 
information has been requested. The Gateway 3G GGSN may setup/release packet tunnels and send IRI information 
depending on national requirements. 

The use of the Gateway 3G GGSN for interception is a national option. 



B.1 Mobile Station Attach 



Figure B. 1 shows the interception of a basic Mobile Station Attach where the mobile (A) is the target for interception. 
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Figure B.1 : Interception of mobile originated Mobile Station Attachment 
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B.2 Mobile Initiated Mobile Station Detach 

Figure B.2 shows the interception of a Mobile Initiated Mobile Station Detach where the originating mobile (A) is the 
target for interception. 
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Figure B.2: Interception of mobile originated Mobile Station Detachment 

B.3 Network initiated Mobile Station Detach 

Figure B.3 shows the interception of a network initiated (by 3G SGSN or HLR) Mobile Station Detach where the 
mobile (A) is the target for interception. 
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NOTE: * Additional signals in case of HLR initiated. 

Figure B.3: Interception of network initiated Mobile Station Detach 
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B.4 Intra 3G GSN Routing Area Update 

Figure B.4 shows the interception of an Intra Routing Area Update where the mobile (A) is the target for interception. 
The sequence is the same for the combined RA / LA Update procedure but additional signalling is performed between 
the current 3G SGSN and the prior 3G SGSN before the Routing Area Update Accept message is sent to the MS. 
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Figure B.4: Interception of an Intra Routing Area Update 



B.5 Inter 3G GSN Routing Area Update 

Figure B.5 shows the interception of an Inter Routing Area Update where the mobile (A) is the target for interception. 
The sequence is the same for the combined RA / LA Update procedure but additional signalling is performed between 
the 3G GSN, HLR and the old 3G GSN before the Routing Area Update Accept message is sent to the MS. In case of 
PDP context not being active less signalling is required. 
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Figure B.5: Interception of an Inter Routing Area Update 
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B.6 PDP Context Activation 



Figure B.6 shows the interception of a PDP Context activation where the mobile (A) is the target for interception. The 
sequence for a network initiated PDP Context activation is analogous but is preceded by the 3G GSN sending a Request 
PDP Context Activation to the MS. 
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Figure B.6: Interception of a PDP Context Activation 



B.7 Start of interception with PDP context active 

A tunnel is established to DF3 and an event is sent to DF2. 
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B.8 MS initiated PDP Context Deactivation 

Figure B.7 shows the interception of a MS initiated PDP Context deactivation where the mobile (A) is the target for 
interception. 
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Figure B.7: Interception of a PDP Context Deactivation 



B.9 Network initiated PDP Context Deactivation 

Figure B.8 shows the interception of a Network initiated PDP Context deactivation where the mobile (A) is the target 
for interception. The 3G GGSN may send, (depending on national requirements) the PDP Context deactivation and 
release the Packet Data tunnel after the Delete PDP Context Response has been sent or received, (signalling between the 
3G SGSN and the 3G GGSN is not shown here). 
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Figure B.8: Interception of a Network initiated PDP Context Deactivation 
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B.10 SMS 



Figures B.9a and B.9b show the interception of a Mobile-terminated SMS. Figures B.lOa and B.lOb show the 
interception of a Mobile-originated SMS. In all the scenarios, the mobile subscriber (A) is the target for interception. 
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Figure B.9a: MT-SMS interception after 3G SGSN receives notification of SIVIS delivery to MS(A) 
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Figure B.9b: MT-SMS interception after 3G SGSN receives SMS from SMSC 
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Figure B.lOa: MO-SMS interception after 3G SGSN receives notification of SMS delivery from SMSC 
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Figure B.10b: MO-SMS interception after 3G SGSN receives SMS from MS(A) 
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Annex C (informative): 

Information flows for the invocation of Lawful Interception for 

Packet Data with multimedia 

The following figures show the information flows for the invocation of Lawful Interception for Packet Data with 
multimedia. The figures show some of the basic signalling messages of the target Packet Data communication and the 
events on the X2 interfaces. The dotted lines indicate signalling depending on whether IRI information has been 
requested. The figures illustrate interception in the visited network. 



C.1 Multimedia registration 



Figures C. 1 . 1 and C. 1 .2 show the intercept of the Multimedia registration for the case of visited network interception. 
(Refer to 3GPP TS 23.228 sections 5.3.2.4 and 5.3.2.5) 
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Figures C.1 .1 and C.1 .2 show the intercept of the IVIultinnedia registration for the case of visited networl< 
interception. (Refer to 3GPP TS 23.228 sections 5.3.2.4 and 5.3.2.5) 

Figure C.1.1 : Intercept of Start of Multimedia Registration 
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Figure C.I. 2: Intercept of Continuation of IVIultimedia Registration 

The same SIP Registration command is used for the initial registration and any registration updates. 
Registration deletion request is accomplished with a Registration command that indicates a '*' contact or 
zero expiration time. 
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C.2 Multimedia Session Establishment and Answer 

Figure C2 shows the intercept of the Multimedia Establishment and Answer in the visited network (Refer to 3G 
TS 23.228, section 5.7.1) 
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Figure C.2 Intercept of Multimedia Establishment and Answer at Visiting Network 
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C.3 Multimedia Release 



Figure C.3 shows the intercept of the Multimedia Release in the visited network (3G TS 23.228, section C.2.1 
reference available). 
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Figure C.3 Intercept of Multimedia Release at Visiting Network 
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Annex D (informative): 

Information flows for Lawful Interception invocation at the 

MGW using H.248 

The following figures show the use of H.248 in setting up a bearer intercept point at the MGW. 

D.1 Mobile to Mobile call, originating side is target 

Figure D.l shows the network model for interception of a mobile -to-mobile call, where the originating mobile 
subscriber is the target for interception. 

Figure D.2 message sequence only shows the H.248 elements related to the necessary topology, which could be used in 
this example. 

Normal call establishment using other H.248 elements shall be in accordance with 3GPP TS 23.205. 
It should be noted that other means exist with H.248 to achieve similar interception. 
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Figure D.1 : Mobile to IVIobile call originating side is target (network model) 
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Figure D.2: Mobile to Mobile call originating side is target 
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